Vulnerability in Google Chrome turns out to be Adobe Flash vulnerability
This week, the Internet shook the news that experts from VUPEN, famous for the Pwn2Own contests, got out of the sandbox of Google Chrome and ran an arbitrary code, calling the Windows calculator through a specially prepared page. A feature of the attack was to bypass not only the browser sandbox, but also the protection mechanisms of Windows 7 - ASLR and DEP. Details of the attack were not disclosed (more precisely, the company disclosed them exclusively to state structures and its customers), which caused various rumors on the Web, even including the announcement of videos as fake. On Habrahabr, Yevgeny Zharkov and Vladimir Yunev also expressed doubts about the authenticity of the only movie where the browser hacking was demonstrated.
Nevertheless, the French hackers did indeed hack the browser, but as it turned out, it was not only the browser itself, but the Adobe Flash Player. Browser developer Tavis Ormandy blamed VUPEN for their experts underestimating Google Chrome’s sandbox mechanism, and journalists for over-inflating the situation (indeed, critical holes (and the company groups them according to the degree of danger from lesser to maximal: low, medium, high and critical) in Google Chrome are not uncommon, and the company does not hide them, describing them on the official blog, but journalists were suddenly interested in this vulnerability). Chris Evans, another browser developer, said that since the vulnerability requires an additional plug-in, this is not a browser problem. The same opinion is supported by Adrian Kingsley-Hughes, a journalist of the ZDNet publication, who closely watches the situation. However, I cannot agree with either Chris or Adrian. As you know, Google has reached a special agreement with Adobe to include in the distribution kit of the module, as well as on priority updates and on joint work on the development of a plug-in for viewing PDF and implementing Adobe Flash in the sandbox. Therefore, experts from VUPEN just hacked Google Chrome, or rather the component that goes inseparably with the browser. However, if hackers take the Chromium vanilla distribution of the same version as the hacked Google Chrome, then their exploit will not cost a damn, as it will require Flash. But still, Google needs to think carefully about how to ensure the security of the plug-in, because even the sandbox did not save the browser from the exploit. It is possible that it is worth blocking the launch of Flash content by default, as is done with Java / IcedTea, or let the user launch the plug-in itself when it sends an alert similar to the search engine installation alert, which tells about the advantages and capabilities of Flash along with a note security issues.
Based on ZDNet and the podcast jeje and XaocCPS .
Nevertheless, the French hackers did indeed hack the browser, but as it turned out, it was not only the browser itself, but the Adobe Flash Player. Browser developer Tavis Ormandy blamed VUPEN for their experts underestimating Google Chrome’s sandbox mechanism, and journalists for over-inflating the situation (indeed, critical holes (and the company groups them according to the degree of danger from lesser to maximal: low, medium, high and critical) in Google Chrome are not uncommon, and the company does not hide them, describing them on the official blog, but journalists were suddenly interested in this vulnerability). Chris Evans, another browser developer, said that since the vulnerability requires an additional plug-in, this is not a browser problem. The same opinion is supported by Adrian Kingsley-Hughes, a journalist of the ZDNet publication, who closely watches the situation. However, I cannot agree with either Chris or Adrian. As you know, Google has reached a special agreement with Adobe to include in the distribution kit of the module, as well as on priority updates and on joint work on the development of a plug-in for viewing PDF and implementing Adobe Flash in the sandbox. Therefore, experts from VUPEN just hacked Google Chrome, or rather the component that goes inseparably with the browser. However, if hackers take the Chromium vanilla distribution of the same version as the hacked Google Chrome, then their exploit will not cost a damn, as it will require Flash. But still, Google needs to think carefully about how to ensure the security of the plug-in, because even the sandbox did not save the browser from the exploit. It is possible that it is worth blocking the launch of Flash content by default, as is done with Java / IcedTea, or let the user launch the plug-in itself when it sends an alert similar to the search engine installation alert, which tells about the advantages and capabilities of Flash along with a note security issues.
Based on ZDNet and the podcast jeje and XaocCPS .
')
Source: https://habr.com/ru/post/119110/
All Articles